Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
2010 Creating the Demand Curve for Cybersecurity - Atlantic Council

2010 Creating the Demand Curve for Cybersecurity - Atlantic Council

Ratings: (0)|Views: 0|Likes:
Published by iSocialWatch.com

More info:

Published by: iSocialWatch.com on Oct 14, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Melissa E. Hathaway
America’s future economic and national security posture,enabled by the digital revolution, is at risk. If the Obamaadministration is serious about mitigating that risk byincreasing the security of the nation’s information andcommunications infrastructure, it should exercise everyinstrument of power at hand to move the United Statestoward a better place.Nearly two years into this administration, there are feweroptions available to drive progress. The President’s scalyear 2011 budget, under review by Congress, maintains thestatus quo for funding cybersecurity programs. Further, thePresident’s staff continues to struggle with the complexpolicy formulation regarding cybersecurity, and has beenslow to make progress on the nearly two dozenrecommendations set forth in the administration’sCyberspace Policy Review. Even if policy changes wereimminent, little would change without a funding priorityunderpinning the initiatives. In the absence of a push toprioritize funding, the administration needs a new approachto mitigate our nation’s vulnerability to cyber attacks.As a result of the midterm elections, the balance of power inCongress will change in January, making progress onadministration policy priorities even more challenging.Nonetheless, the President does have levers of poweravailable to him that he could use to raise awareness ofwhat is at stake, enabling him to set the nation on a betterpath toward keeping our economy and citizens secure.These levers do not require congressional approval; rather,they require political resolve and determination to makedramatic changes in our risk posture during the remainderof the President’s term.
This proposal asks the President to turn to three independentregulatory agencies for help. This three-pronged strategycould dramatically increase awareness of what is happeningto our core infrastructure, drive an innovation agenda tostrengthen our information-security posture, and increaseproductivity, as it would reduce the losses being sustainedon a daily basis by our companies and citizens.
Melissa Hathaway 
led President Obama’s Cyberspace Policy Review and previously led the development of theComprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. She is now President ofHathaway Global Strategies LLC and Senior Advisor at Harvard Kennedy School’s Belfer Center.
Creating the Demand Curve for Cybersecurity
The Program on International Security shapes andinuences the debate on international security byfacilitating dialogue through critical analysis andpolicy-relevant programming on the greatest securitychallenges facing the United States and thetransatlantic community. The Program builds on theCouncil’s extensive network of experts andpractitioners in North America and Europe to informpolicy and to introduce ideas into the public debate.The Program inuences policy and shapes ideas bypublishing task force reports and analytical issuebriefs, providing a public speaking platform forleaders in international security, brieng policymakersand national security leaders in private strategysessions, and hosting working groups to tackle themost complex challenges in international security. Formore information, contact Vice President and Directorof the Program on International Security DamonWilson (
) or Associate DirectorMagnus Nordenman (
The Program on International Security’s work on cyber  security issues is generously supported by SAIC.
Tunin t the Secuities andExchane Cmmissin
First, the President should consider asking the Securitiesand Exchange Commission (SEC) to evaluate theimportance of requiring chief executive ofcers (CEOs) toattest to the integrity of their companies’ informationinfrastructure. The SEC could open a dialogue with industrythrough an administrative notice, informing companies thatthe SEC would consider a rule regarding the thresholds ofmateriality risk in the area of information security. This wouldput registrants on notice that the SEC is likely to requiremore information from company management to verify theexistence of proper safeguards. More specically, the SECwould request that registrants show an ability to protectproprietary and condential personal data, demonstrate theexistence of appropriate safeguards for mission-criticalsystems, and explain their ability to quickly and effectivelyrespond to a cybersecurity incident.Such an announcement would recognize that companiescontinue to face signicant challenges when it comes totheir ability to appropriately protect their computer systems;to secure their proprietary, customer, and nancialinformation; and to safeguard the integrity of business andother transactions they conduct over the Internet. Reportsreleased daily reveal that signicant industry losses resultfrom poor information-security policies and porousinfrastructures. This is an area that needs greatertransparency. In fact, a recent Ponemon Institute reportdisclosed that on “an annualized basis, information theftaccounts for 42 percent of total external costs, and thecosts associated with disruption to business or lostproductivity account for 22 percent of external costs.”
 Many rms are resistant to public disclosure because thedetails of their compromises or security breaches maychange public perception, or impact customer condenceor competitive advantage.
1 Ponemon Institute, “First Annual Cost of Cyber Crime Study,” July 2010.
We may, however, be at a turning point. Since Google’sJanuary 2010 disclosure of Chinese-origin cyber attacks(known as Operation Aurora), more executives arediscussing the topic of information security andcybersecurity. Alan Paller of the SANS Institute announcedthat the Google incident affected more than 2,000companies.
In January 2010, Intel Corporation disclosedrisk areas in its annual report led with the SEC, noting:“We may be subject to intellectual property theft or misuse,which could result in third-party claims and harm ourbusiness and results of operations.” Intel’s disclosuresuggests that its management understands the riskassumed by the business. Can the SEC encourage othercompanies to assume more proactive measures todetermine whether they have been penetrated and have lostinformation? Simply beginning a dialogue on this issue mayforce companies to better understand the scope, adequacy,and effectiveness of their internal control structures, and theprocedures they use to protect their information assets (dataand infrastructure); better yet, this dialogue could promptthem to invest in risk-mitigation actions.But if that is not enough, in its review of registrants’ quarterlyand annual reports and other lings, the SEC staff couldask registrants whether they have adequately disclosedmaterial risk to their company’s protection of customer data,proprietary data, and mission-critical systems andinfrastructures. Separately, auditors could assess thecompany’s internal controls for the protection of internalnancial and management data. After all, if that data is notsecure, how can their assessments of the company’snancial position be reliable to shareholders?There are other attendant benets that could result from theSEC moving in this direction. First, such a move would forcea national (if not international) dialogue on the extent ofprofessional criminal activity and the depth of economicespionage being conducted against global corporationsworldwide. Boardrooms around the world would turn to theCEO, chief information security ofcer (CISO), chiefinformation ofcer (CIO), and chief risk ofcer (CRO) to askwhat they are doing to improve the level of security of theirinfrastructure and the online environment that supports it.As material risk is discovered, reporting would result inimproved data and statistics, and perhaps yield aquantitative picture of the economic impact of intrusions.
2 Alan Paller, “SANS What Works in Security Architecture Summit 2010,Las Vegas, Nevada, May 2010.
the President should consider asking theSecurities and Exchange Commission (SEC) toevaluate the importance of requiring chief executiveofcers (CEOs) to attest to the integrity of theircompanies’ information infrastructure.
This risk disclosure could also help to identify solutions tothe root cause of the problem. Companies would demandindustry-led innovation with a newfound sense of urgency, inorder to eliminate or mitigate the risk reporting in thefollowing year. Companies may turn to their Internet serviceproviders (ISPs) to provide increased managed-securityservices on their behalf. Concurrently, the security-productindustry would have an increased market-driven requirementto deliver products that perform with higher assurancelevels. The research community would also have access todata that would facilitate idea creation and innovativesolutions to increase security across the entire architecture.
The increased data that would result from such risk lingscould also lead to the growth of an insurance industry to helpcompanies absorb costs if the data shows a minimumstandard of due care. Some insurance companies arebeginning to offer policies designed to protect businessesshould they fall victim to intrusions or other forms of onlinedisaster. However, there is still not enough actuarial data onwhich to reliably base the premium rates.
If companies wererequired to disclose intrusions and the associated externalcosts of lost intellectual property or lost productivity, theninsurance policies and costs would be more predictable. Asmore data becomes available, a standard of care, or “bestpractices” of the enterprise, could emerge. This would allowbusinesses to deploy capabilities in a way that would provide
adequate protection, taking into account risk requirements andbusiness operations. Then, if a corporation had implementedadequate defenses of its networks or information assets, and abreach occurred (e.g., illegal copying and movement of data),it could call upon its insurance plan to supplant the losses.Such action would lead to a discussion of liability, and may infact reveal the legal underpinnings associated therein.
This proposal may seem dramatic, and industry mayappeal based on the unintended consequences ofimplementing such a rule in this area, arguing high costsand reduced competitiveness. But regulators can comparethis proposal to the Sarbanes-Oxley Act of 2002, whichintroduced major changes to the regulation of corporategovernance and nancial practice as a result of identiedweaknesses, illustrated by the Enron case, among others.And why shouldn’t the SEC take measures to protect thenear-term economic infrastructure and long-term growth forpublicly traded companies?
3 David Briody, “Full Coverage: How to Hedge Your Cyber Risk,”
, April1, 2007, www.inc.com/magazine/20070401/technology-insurance.html.
Tunin t the FedealCmmunicatins Cmmissin
Concurrent with the SEC option, the President can also turnto the Federal Communications Commission (FCC) to enlistprivate-sector talent, requiring the core telecommunicationsproviders and ISPs to shoulder more of the burden ofprotecting our infrastructure. The major telecommunicationsproviders and ISPs collectively have unparalleled visibilityinto global networks, which enable them with the propertools to detect cyber intrusions and attacks as they areforming and transiting toward their targets.
They even havethe ability to tell the consumer if a computer or network hasbeen infected. For example, Comcast is “expanding a pilotprogram that began in Denver last year, which automaticallyinforms affected customers [by sending them] an e-mail,urging them to visit the company’s security page.”
 Customers are receiving alerts, being offered antiviruscustomer service, and receiving free subscriptions toNorton security software. While this enhanced service is inthe nascent stages, these companies also employsophisticated tools and techniques for countering attacks totheir own infrastructure and the networks. So, why doesn’tthe FCC mandate that this service be provided moregenerally, to clean up our infrastructure? Doing so couldopen a dialogue or lead to a request to limit the liability forproviding such a managed security service. Perhaps the“Good Samaritan” clause in the Telecommunications Act of1996 could be reviewed and applied to quell any concernsthat may surface.
4 U.S. House of Representatives, HR 5136, 111th Congress, NationalDefense Authorization Act of 2011.5 Brian Krebs, “Comcast Pushes Bot Alert Program Nationwide,
Krebs on Security 
, 4 October 2010, http://krebsonsecurity.com/2010/10/ comcast-pushes-bot-alert-program-nationwide/.6 The Telecommunications Act of 1996, Pub. L, No. 104-104, 110 Stat. 56.The 1996 Telecommunications Act included a “Good Samaritan”provision designed to protect Internet Service Providers (ISPs) fromliability when they act in good faith to block or screen offensive contenthosted on their systems (Id. § 230[c]).
the President can also turn to the FederalCommunications Commission (FCC) to enlist private-sector talent, requiring the core telecommunicationsproviders and ISPs to shoulder more of the burden ofprotecting our infrastructure.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->